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We present here IMITATOR II, a new version of IMITATOR, a tool implementing the "inverse method" 
for parametric timed automata: given a reference valuation of the parameters, it synthesizes a con- 
straint such that, for any valuation satisfying this constraint, the system behaves the same as under 
the reference valuation in terms of traces, i.e., alternating sequences of locations and actions. IMITA- 
TOR II also implements the "behavioral cartography algorithm", allowing us to solve the following 
good parameters problem: find a set of valuations within a given bounded parametric domain for 
which the system behaves well. We present new features and optimizations of the tool, and give 
results of applications to various examples of asynchronous circuits and communication protocols. 



1 Introduction 

Timed automata 13 are finite control automata equipped with clocks, which are real-valued variables 
which increase uniformly, and that are compared with timing delays. One can check the correctness of 
a system modeled by a timed automaton for one particular value for each delay (using model checkers 
such as, e.g., Uppaal [23]), but this does not give any information for other values. Actually, checking 
the correctness of the system for all the delays, even in a bounded interval, would require an infinite 
number of calls to the model checker, because those delays can have real (or rational) values. It is 
therefore interesting to reason parametrically , by considering that these delays are unknown constants, 
or parameters, and try to synthesize a constraint (i.e., a conjunction of linear inequalities) on these 
parameters which will guarantee a correct behavior of the system. Such automata are called parametric 
timed automata (PTA) Q. 



The Good Parameters Problem for Timed Automata. We aim at solving the good parameters prob- 
lem, as defined in |[T5ll in the framework of linear hybrid automata HI : "Given a PTA stf and a rectangular 
parameter domain Vq, what is the largest set of parameter values within Vn for which srf is safe?" 

The parameter design problem for timed automata (and more generally, for linear hybrid automata) 
was formulated in [19], where a straightforward solution is given, based on the generation of the whole 
parametric state space until a fixpoint is reached. Unfortunately, in all but the most simple cases, this is 
is prohibitively expensive due, in particular, to the brute exploration of the whole parametric state space. 

In |[T5l . the authors propose an extension based on the counterexample guided abstraction refinement 
(CEGAR, Ifl4l ). When finding a counterexample, the system obtains constraints on the parameters that 
make the counterexample infeasible. When all the counterexamples have been eliminated, the resulting 
constraints describe a set of parameters for which the system is safe. 
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Contributions. The tool IMITATOR II presented in this paper is based on the inverse method [ 5 ] , which 
starts from a "good instantiation" Kq of the parameters that one wants to generalize. More precisely, 
Imitator II synthesizes a constraint Kq on the parameters that corresponds to a dense set of valuations 
such that, for all instantiation 7T of parameters in this set, the behavior of the timed automaton s$ is 
(time-abstract) equivalent to the behavior of srf under Tto, in the sense that they have the same trace sets. 
This is useful to relax timing bounds, and gives a criterion of robustness. 

Moreover, IMITATOR II implements the behavioral cartography algorithm [6], which synthesizes a 
constraint on the parameters ("tile") by calling the inverse method on integers point located within a 
given bounded parameter real-valued domain (rectangle) Vq. This algorithm allows us to partition the 
parametric space into a subset of "good" tiles (which correspond to "good behaviors") and a subset of 
"bad" ones. Often in practice, what is covered is not only the integer subspace of Vq, but two major 
extensions: first, not only the integer points but a major part of the dense set of real-valued points of Vq is 
covered by the tiles; second, the tiles are often unbounded w.r.t. several dimensions (hence are infinite), 
and cover most of the parametric space beyond Vq, thus giving a solution to the good parameters problem. 

Imitator II is a new version of Imitator Q, a prototype written in Python 11261 implementing the 
inverse method, and calling the model checker HyTech QjQ. IMITATOR II has been entirely rewritten 
and is now a standalone tool, making use of the Apron library [20] and the Parma Polyhedra Library O. 
Compared to IMITATOR, the computation timings of IMITATOR II have dramatically decreased. More- 
over, IMITATOR II offers new features, such as the implementation of the cartography algorithm, the 
visualization of the trace sets of the constraints, and of the cartography (for 2 parameter dimensions). 

Related Tools. Imitator II has been designed to implement the inverse method and the cartography 
algorithm and, as far as we know, it is the only tool implementing this kind of algorithms. Although 
it is thus not possible to compare directly the computation times of IMITATOR II with other tools, it is 
interesting to mention the following tools allowing to perform related analyses of timed systems. 

HyTech [18] is the first model checker for analyzing parametric hybrid automata. It features an in- 
tuitive input syntax, and performs reachability analysis and operations on states sets. Although HyTech 
has been used to verify interesting case studies, it can hardly verify even medium sized examples because 
of its arithmetics with limited precision leading to overflows, and its static composition of the automata, 
preventing the composition of more than a dozen of automata. 

The tool PHAVer ifTTl . designed by Goran Frehse, highly improves the scalability compared to 
HyTech, and performs analyses on parametric hybrid systems using exact arithmetics with unlimited 
precision and convex polyhedra, using the Parma Polyhedra Library (PPL) [9[. Moreover, PHAVer of- 
fers various features such as automatic partitioning, graphical outputs, and forward/backward abstraction 
refinement. Various case studies have been verified, in particular in the framework of analog circuits |[T6ll . 

Uppaal is a powerful tool for model checking timed automata extended with several data types ll23ll . 
In particular, it verifies very efficiently timing properties such as reachability, safety or liveness properties 
on timed automata. However, although an extension allowing to perform parametric model checking is 
mentioned in H, the standard version of UPPAAL does not allow the use of hybrid or parametric systems. 

TReX [ 8 ] is a model checker allowing to verify properties on parametric timed automata extended 
with integer counters and finite-domain variables. TReX features on-the-fly verification of safety prop- 
erties, as well as parameter synthesis either using parametric reachability, or in order to satisfy properties. 
Various representations are allowed and both forward and backward exploration algorithms can be used. 

Finally, the RED library 11251 features analysis of real-time systems using Clock-Restriction Dia- 
grams, as well as parametric analysis of hybrid systems using Hybrid-Restriction Diagrams. 
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Plan of the Paper. We first recall the framework of Parametric Timed Automata, the inverse method 
algorithm and the behavioral cartography algorithm in Section [2] We then introduce IMITATOR II in 
Section [3] and give details on its internal structure and its various features. We present in Section [4] a 
range of case studies including hardware devices and unbounded communication protocols. We give 
final remarks in Section [5J 

2 Behavioral Cartography of Timed Automata 

Parametric Timed Automata. We use in this paper the same formalism as in O. Throughout this 
paper, we assume a fixed set X = {x\ ,xh} of clocks, and a fixed set P = {p\ ,pm} of parameters. 
Given a constraint C on the clocks and the parameters, the expression 3X : C denotes the constraint on 
the parameters obtained from C after elimination of the clocks. 

Parametric timed automata are an extension of timed automata [ 2 ] to the parametric case, allowing 
within guards and invariants the use of parameters in place of constants [3]. A parametric timed automa- 
ton (PTA) £/ is a 6-tuple of the form srf = (T,,Q,qQ,K,I,—>), where £ is a finite set of actions, Q is a 
finite set of locations, qo G Q is the initial location, A" is a constraint on the parameters, / is the invariant 
assigning to every q G Q a constraint I(q) on the clocks and the parameters, and — > is a step relation 
consisting in elements of the form (q,g,a,p,q') where q,q' G Q, a G E, p C X is a set of clocks to be 
reset by the step, and g (the step guard) is a constraint on the clocks and the parameters. 

In the sequel, we consider the PTA = (£, Q,qo,K,I, — >). We simply denote this PTA by (K), in 
order to emphasize the fact that only K will change in For every parameter valuation TV = (tvi , . . . , %m), 
g/[n] denotes the PTA g/ (K), where K is A/=i Pi = Hi- This corresponds to the PTA obtained from si 
by substituting every occurrence of a parameter p\ by constant 7T,- in the guards and invariants. We say 
that pi is instantiated with 7T,-. Note that s$[n\ is a standard timed automaton. 

A (symbolic) state s of .srf (K) is a couple (q,C) where q is a location, and C a constraint on the clocks 
and the parameters. The initial state of (K) is a state *o of the form (qo,Co), where Co = K A /(go) A 
A^i x i = x i+\ ■ I n the latter expression, K is the initial constraint on the parameters, I(qo) is the invariant 
of the initial state, and the rest of the expression lets clocks evolve from the same initial value. A run R of 
£/ (K) is an alternating sequence of states and actions of the form (qo,Co) % (q\,C\) =1- • • • (q m ,C m ), 
such that for all i = 0,. . . ,m— 1, a,- G E and (qi,Q) (g, + i,C,-+i) is a step of srf (K). The trace associated 
to R is the alternating sequence of locations and actions qo=^ ■■■ "=> l q m . The trace set of g/(K) refers 
to the set of traces associated to the runs of (K). 

In the following, we are interested in verifying properties on traces sets. For example, a trace can be 
said to be "good" if it never contains any "bad" location of a given set, or if a given action always occurs 
before another one (see [6]). Given such a property on traces, we say that a trace is good if it satisfies the 
property, and bad otherwise. Likewise, we say that a trace set is good if all its traces are good, and bad 
otherwise. Actually, the good behaviors that can be captured with trace sets are relevant to linear-time 
properties iflOl . which can express properties more general than reachability properties. 

The Inverse Method. We recall here the inverse method algorithm IM(£/,71q), as defined in Q, which 
synthesizes a constraint Kq on the parameters such that tiq |= Kq, and for all 71 G Kq, the trace sets of £/[7l] 
and £/[tiq] are equal. Starting with K = true, we iteratively compute a growing set of reachable states. 
When a TiQ-incompatible state (q,C) is encountered (i.e., when Kq (3X : C)), K is refined as follows: 
a Tio-incompatible inequality J (i.e., such that 71q y= J) is selected within the projection of C onto the 
parameters and -J is added to K. The procedure is then started again with this new K, and so on, until 
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no new state is computed. We finally return the intersection of the projection onto the parameters of all 
the constraints associated to the reachable states. 

The output of IM is a behavioral tile in the following sense: A constraint K is said to be a behavioral 
tile (or more simply a tile), if for all 7l\,7t2 £ K, the trace sets of srf\K\\ and ^[712] are equal. Note that 
a tile corresponds to a convex and dense set of real-valued points. Given a tile K, the trace set of £/ (K) 
will be referred to as "the trace set of K". 



Algorithm 1: IM(.e? ,Kq) 



input : A PTA stf of initial state so 
input : Valuation 7To of the parameters 
output: Constraint K on the parameters 

1 i «- ; K «- true ; S <- {s } 

2 while true do 
while there are TlQ-incompatible states in S do 

Select a 7To-incompatible state (q,C) of S (i.e., s.t. 7To ^= (3X : C)) ; 
Select a 7To-incompatible inequality J in (3X : C) (i.e., s.t. 7io 7) ; 

S^\Jj = oPost j ^ iK) ({s }); 
if Post^ (K) (S) C 5 then return <- flfoOesC 3 * : c ) 

i «- i + 1 ; 5 <- 5 U (5) ; // 5 = U^ =0 Post^ ({s } ) 



The algorithm IM is given in Algorithm |TJ We define Post l ^^(S) as the set of states reachable from 
S in exactly i steps, and Poster ^ (S) as the set of all states reachable from Sing/ (K) (i.e., Post*^^ (S) = 
\Ji>oPosf^, K JS)). Given two sets of states S and 5", we write S C S' iff Vs G S,3s' G 5" s.t. s = s'. 



The Behavioral Cartography Algorithm. By iterating the above inverse method IM over all the in- 
teger points of a rectangle Vb (of which there are a finite number), one is able to decompose (most of) 
the parametric space included into Vb into behavioral tiles. We recall in Algorithm [2] the behavioral 
cartography algorithm, as defined in j6). 



Algorithm 2: Behavioral Cartography Algorithm BC(s/,Vq) 



input : A PTA si, a finite rectangle V Q K> 
output: Tiling: list of tiles (initially empty) 

1 repeat 

2 
3 



select an integer point % € Vb; 

if 7T (foes no? belong to any tile of Tiling then add IM(s/, k) to Tiling; 



4 until Tiling contains all the integer points o/Vq; 



In practice, most of (the real-valued space of) Vb is covered by Tiling (see case studies in Section|4]), 
although some "holes" (i.e., small zones containing no integer point) may sometimes remain uncovered 
by Tiling. Furthermore, the space covered by Tiling often largely exceeds the limits of Vq. 
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According to a given property on traces one wants to check, it is possible to partition trace sets 
between good and bad, and thus to partition the rectangle Vb into a good subspace (union of good tiles) 
and a bad subspace (union of bad tiles). 

The main advantage of this algorithm is that the cartography does not depend on the property one 
wants to check. Only the partition between good and bad tiles does. Moreover, the algorithm does not 
compute the set of all the reachable states; on the contrary, each call to IM quickly reduces the state space 
by removing the "bad" states. This allows us to overcome the state space explosion problem, which often 
prevents other methods, such as the computation of the whole set of reachable states to terminate. 

3 Implementation 

Features. The input syntax of IMITATOR II to describe the network of PTAs modeling the system is 
given in (271, and is very close to the HyTech syntax. IMITATOR II implements the ability to per- 
form a full reachability analysis (computation of the set of all the reachable states), the inverse method 
algorithm, and the behavioral cartography algorithm. 

When applying the inverse method, IMITATOR II takes as input a file describing the network of PTAs, 
and another file giving the reference valuation. It synthesizes a constraint solving the inverse problem, as 
well as the corresponding trace set under a graphical form (see example in Figure[T]left). The description 
of all the parametric reachable states is also returned. 




80 100 120 140 160 180 200 220 



Figure 1 : Examples of trace set (left) and of cartography (right) 

When applying the behavioral cartography, IMITATOR II takes as input a file describing the network 
of PTAs, and another file giving the reference rectangle, i.e., the bounds to consider for each parameter. 
It synthesizes a list of tiles, as well as the trace set corresponding to each tile under a graphical form. 
For systems with only two parameter dimensions, the cartography is also returned under a graphical 
form (see example in Figure [T]right). Two different modes can be considered for BC: (1) cover all the 
integer points of Vb or, (2) call a given number of times the inverse method on an integer point selected 
randomly within Vb (which is interesting for rectangles containing a very big number of integer points 
but few different tiles). As shown in Table [T] all those features (except the inverse method) are new 
features which were not available in IMITATOR. 



96 



IMITATOR II: A Tool for Solving the Good Parameters Problem in Timed Automata 



Tool 


Inverse Method 


Cartography 


Computation of traces 


Graphical output 


Imitator 


yes 


no 


no 


no 


Imitator II 


yes 


yes 


yes 


yes 



Table 1: Comparison of the features of Imitator and Imitator II 



Among the options for the tool (see E7I for an exhaustive list), one can mention the possibility to add 
a limit for the depth of the Post operation, or for the execution time, and an option for acyclic systems 
avoiding to check whether a state has been computed before. 

Implementation. IMITATOR II is a tool written in OCaml, making use of an external library for manip- 
ulating convex polyhedra, which can be, depending on the user's preference, either the NewPolka library, 
available in the Apron library EOl . or the Parma Polyhedra Library (PPL) O. The trace sets, as well as 
the cartography for 2 parameter dimensions, are output under a graphical form using the DOT module of 
the graph visualization software Graphviz ll28l . IMITATOR II contains about 9000 lines of code, and its 
development took about 6 man-months. 

States are represented using a triple (q,v,C) made of the current location q in each automaton, a 
value for each discrete variable^ v, and a constraint C on the clocks and the parameters. In order to 
optimize the test of equality between a new computed state and the set of states computed previously, 
the states are stored in a hash table as follows: to a given key (q,v) of the hash table, we associate a list 
of constraints C\,. . . ,C„, corresponding to the n states (q,v,C\), (q,v,C n ). Contrarily to HyTech, 
Imitator II uses exact arithmetics with unlimited precision, and performs an on-the-fly composition 
of the automata, allowing to analyze bigger systems, and decreasing drastically the computation time 
compared to Imitator (see Section |4]>. 

Optimization. Line [7] in Algorithm [T] corresponds to the computation of all the states reachable in up 
to i steps from sq, with the new constraint K that has just been updated with the addition of some -J. 
However, this computation is redundant because no new state can be computed (because K has been 
restrained with -J), and no state previously computed can be removed (because both -J and the states 
previously computed are TT-compatible). Instead, we simply update the set S of states by adding -J to all 
the states computed, by replacing line[7]in Algorithm [T]by the portion of algorithm given in Algorithm[3] 



Algorithm 3: Modification of the Inverse Method Algorithm 

1 foreach (q,C) £ S do 

2 ^C^CA^J 



4 Case Studies 

We present in this section a range of case studies of asynchronous circuits and communication protocols. 
The source code of IMITATOR II and various binaries, as well as the input file for all those case studies 
can be found in E71 . Experiments were conducted on an Intel Core2 Duo 2.4 GHz with 2 Gb. 

'Discrete variables are syntactic sugar allowing to factorize several locations into a single one. In IMITATOR II, discrete 
variables are integer variables that can be updated using constants or other discrete variables. 



E. Andre 



97 



Inverse Method. The results of the application of the inverse method to various case studies are given 
in Table[2] We give from left to right the name of the example, the number of PTAs composing the global 
system sd ', the lower and upper bounds on the number of locations per PTA, the number of clocks and 
parameters of srf , of iterations of the algorithm, of inequalities within Kq, of states and transitions, the 
computation time in seconds using IMITATOR, and the computation time in seconds using IMITATOR II. 



Example 


PTAs 


loc./PTA 


1*1 


1*1 


iter. 


l*o| 


states 


trans. 


Timel 


Time2 


SR-latch 


3 


[3,8] 


3 


3 


5 


2 


4 


3 


0.11 


0.007 


Flip-flop [13] 


5 


[4,16] 


5 


12 


9 


6 


11 


10 


1.6 


0.122 


And-Or [12] 


3 


[4,8] 


4 


12 


14 


4 


13 


13 


1.81 


0.15 


Valmem Latch 


7 


[2,5] 


8 


13 


12 


6 


18 


17 


14.4 


0.345 


CSMA/CD [22| 


3 


[3,8] 


3 


3 


19 


2 


219 


342 


41 


1.01 


RCP [21| 


5 


[6,11] 


6 


5 


20 


2 


327 


518 


64 


2.3 


SPSMALLj OU 


10 


[3,8] 


10 


26 


32 


23 


31 


30 


4680 


2.6 


BRP [24| 


6 


[2,6] 


7 


6 


30 


7 


429 


474 


901 


34 


SPSMALL 2 HQ 


28 


[2,H] 


28 


5 


92 


8 


472 


548 




1755 



Table 2: Summary of experiments for the inverse method 



The SPSMALL case study corresponds to an asynchronous memory sold by ST-Microelectronics, 
and studied in the framework of VALMEM project. We considered two versions of this case study: the 
first one ("SPSMALLi") was manually abstracted from the VHDL code (see [11]) and several gates have 
been merged into a single PTA. The second model ("SPSMALL2") has been automatically generated 
from the VHDL code without any simplification. It is impossible to analyze SPSMALL2 using the 
first version of IMITATOR because HyTech runs out of memory when trying to statically compose the 
28 automata in parallel. 

The Valmem latch is an example of latch studied in the framework of VALMEM project. 

Note that the computation time using IMITATOR II has dramatically decreased compared to IMITA- 
TOR for all examples: the time has been divided at least by 10, and up to 2000 for the SPSMALLi 
memory. Explanations for this high improvement are the rewriting of the tool using a library of con- 
vex polyhedra instead of the call to HyTech, the on-the-fly composition of the different PTAs, and the 
optimization of the algorithm described in Section[3] 

Behavioral Cartography. The results of the application of the behavioral cartography algorithm to 
various case studies are given in Table [3] We give from left to right the name of the example, the number 
of PTAs composing the global system si ', the lower and upper bounds on the number of locations per 
PTA, the number of clocks of si (those first 4 columns are identical to Table|2]), the number of parameters 
varying in the cartography, of integer points within Vq, of tiles computed, the average number per tile of 
states and transitions of the trace set, and the computation time in seconds using IMITATOR II (since the 
cartography is a new feature available in IMITATOR II only, no comparison is possible with IMITATOR). 

For all those examples, the cartography covers 100 % of the real-valued space of Vq, except for the 
Root Contention Protocol (see Section[9]>, where "only" 99,99 % of Vb is covered. Moreover, a significant 
part of the real-valued space outside Vb is also covered. 

Note that it is possible to find examples for which the algorithm BC does not terminate for some Vq, 
because the algorithm IM does not terminate for some 71 € Vq. This is in particular the case of the 
"And-Or" circuit considered in |T2|, for a different Vq from the one considered in Table [3] 
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Example 


PTAs 


loc./PTA 


1 V 1 


1 n\ 

\P\ 


It/ 1 

\Vo\ 


tiles 


states 


trans. 


Time 


SR-latch 


3 


[3,8] 


3 


3 


1331 


6 


5 


4 


0.3 


Flip-flop [ 1 3 1 


5 


[4, 16] 


5 


2 


644 


8 


15 


14 


3 


And-Or|12] 


3 


[4,8] 


4 


6 


75600 


4 


64 


72 


118 


Valmem Latch 


7 


[2,5] 


8 


4 


73062 


5 


21 


20 


96.3 


CSMA/CD El 


3 


[3,8] 


3 


3 


2000 


140 


349 


545 


269 


RCPETI 


5 


[6,11] 


6 


3 


186050 


19 


5688 


9312 


7018 


SPSMALLi ITT1 


10 


[3,8] 


10 


2 


3149 


259 


60 


61 


1194 



Table 3: Summary of experiments for the cartography algorithm 



5 Conclusion 

Imitator II allows us to solve the good parameters problem for timed automata by iterating the inverse 
method on the integer points of a real- valued parameter domain Vq. In practice, our cartography algorithm 
covers not only (most of) Vq but also a significant part of the whole parametric space beyond Vb. The tool 
has been successfully applied to various examples of asynchronous circuits and protocols. 

Ongoing and Future Work. Ulrich Kiihne is currently extending IMITATOR II to hybrid systems, 
where clocks evolve at different rates. Romain Soulat is currently implementing variants and optimiza- 
tions of IM in order to verify larger asynchronous memory circuits, in particular using an on-the-fly 
intersection of the constraints associated to the states, allowing to merge states. A variant of IM is also 
under implementation, where the fixpoint condition (line [8] of Algorithm [TJ is modified as follows: in- 
stead of checking whether all new states are equal to states computed previously, we check whether all 
new states are included (in the sense of constraint inclusion) into former states. 

Future work include the automatic partition into good and bad tiles, using an external tool such as 
Uppaal. We are also studying a "dynamic" cartography, where the space unit between the selected 
points (so far, one integer) can be refined in order to fill the remaining holes. It would also be interesting 
to reason in a backward manner, i.e., considering a Pre operation instead of Post in Algorithm[T] 

Acknowledgments. I thank Bertrand Jeannet for his help to link Imitator II with Apron, Ulrich 
Kiihne for the interface with PPL, and Daphne Dussaud for the graphical output for the cartography. 
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